[Openicc] Introduction / Gutenprint]
Craig Bradney
cbradney at zip.com.au
Wed Apr 13 16:54:54 EST 2005
Yep, sorry, I just picked dirs from the air. Those were the ones previously
agreed as shown.
Craig
On Wednesday 13 April 2005 08:56, Kai-Uwe Behrmann wrote:
> Some time ago we had reached agreement on this list to use
> /usr/share/color/icc and ~/.color/icc as default paths for profiles.
> See additionally
> <http://bugs.freestandards.org/show_bug.cgi?id=77>
>
> regards
> Kai-Uwe Behrmann
> + development for color management
> + imaging / panoramas
> + email: ku.b at gmx.de
> + http://www.behrmann.name
>
> Am 12.04.05, 22:00 +0200 schrieb Craig Bradney:
> > On Tuesday 12 April 2005 21:49, Michael Sweet wrote:
> > > Craig Bradney wrote:
> > > > ...
> > > > And the case where theres only one user on a computer using ICC and
> > > > the others not, and that person doesnt have rights to put files in a
> > > > system dir? Surely a profile can be loaded from anywhere. Are there
> > > > passwords in profiles in any case?
> > >
> > > No, but it is far easier to force files to be relative to a
> > > controlled directory than to filter out the paths and permissions
> > > allowed for a specific, possibly non-local user. Both the System V
> > > lp and Berkeley lpr print spoolers have a long history of security
> > > problems caused by direct access/references to files.
> > >
> > > The issue isn't "are there passwords in profiles", it is "can I
> > > provide a filename to CUPS which will cause it to emit an error
> > > message that discloses some information that is in the file", or
> > > "can I provide a filename that will cause a buffer overflow in
> > > the ICC parser and execute arbitrary code"....
> > >
> > > In short, if you want to share your personal profiles, you need
> > > to run a command to do it (or have some nice GUI do it for you) -
> > > we won't configure CUPS to be insecure by default.
> >
> > Ok.. continuing playing devils advocate here..
> >
> > and in the case where the printer isnt run via CUPS? Shouldnt we be
> > moving towards a general system (and user) location (/etc/icc and ~/.icc
> > perhaps) rather than locating in a particular application's or server's
> > install dirs?
> >
> > Craig
> > _______________________________________________
> > openicc mailing list
> > openicc at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/openicc
>
> Mit freundlichen Grüßen
> Kai-Uwe Behrmann
> + Programmierung für
> + Farbmanagement / Bilder / Panoramen
> + http://www.behrmann.name
> + email: ku.b at gmx.de
More information about the openicc
mailing list